Need some suggestion everyone,
Trying to configure NAT in Mikrotik router for local user IP address pool (192.168.0.0/22) to internet address IP pool (xxx.xxx.xxx.64/26).
/ip firewall nat
add action=netmap chain=srcnat out-interface-list=WAN src-address=192.168.0.0/22 to-addresses=xxx.xxx.xxx.64/26
Is it ok to netmap 762 local addresses to 64 internet addresses? will it worked like masqrade do?
Any help please.
Thanks,
Khandakar Faisal.
netmap substitutes the prefix and keeps the original suffix of the address. So with this rule, 16 private addresses, 192.168.0.1, 192.168.0.65, 192.168.0.129, …, 192.168.3.193 will all be src-nated to xxx.xxx.xxx.65. If you are OK with that, go ahead.
masquerade differs from src-nat in two tightly related aspects - it src-nats to the address assigned the outgoing interface, and the masqueraded connections stay linked to that address in terms that if this address gets deassigned, these connections get dropped. So the purpose of masquerade is not to make configuration easier but to deal with dynamically assigned WAN addresses.
Thanks Sindy for the reply. Nice explanation. Just need to query, what will happens to the other local IP addresses? for example, 192.168.2.2, …, 192.168.2.220 will be src-nated to address xxx.xxx.xxx.66 or xxx.xxx.xxx.67 as of the original suffix and so on? or some of the local IP addresses (192.168.0.0/22) will NAT-ed as the original suffix and shares the xxx.xxx.xxx.xxx internet addresses like masqrerade do?
Please note, Local lan addresses pool just need to access the internet using the internet pool addresses xxx.xxx.xxx.64/26 is the primary goal. do not matter which IP address is mapping with.
And thanks again.
yes, with netmap, .2, .66, .130, .194 will all be translated to .66, .3, .67, .131, .195 will all be translated to .67, etc.
If it doesn’t matter which local address will be translated to which public one, you can use src-nat instead of netmap, but experience shows that it brings some benefits to the user to get src-nated always to the same public IP because some webs are checking the source address of related connections for security reasons.
Not knowing the laws of Bangladesh, I cannot say whether you are obliged to be able to identify a particular user for any connection the authorities ask you to. If you are, the alternative to logging all initial packets showing the mapping of private source socket to public source socket is to dedicate a distinct range of ports to each private address getting translated to the same public IP. So in your case, you would use 16 port ranges, i.e. 2048 ports per range.
Many thanks for the clearification. BTW, try with src-nat, getting some no audio issue with some web conference apps. ok with netmap.
Read on, if you are clueless about netmap (like moi) and how it sourcenats…
Didnt have a clue what netmap could be used for and this is like slices of many to one.
Where the first slice is base+64+64+64+64… aka 1,65,129,… will always get assigned to xx.xx.xx.65 ******
Where second slice is (base+1)+64+64+64… aka 2,66,130… will always get assigned to xx.xx.xx.66
etc.
Thus a range of LANIPs (a slice of lanips - as per my poor mans binary math explanation) will always get the same WANIP hence an interesting many to one!
***apparently the first .0 192.168.0.0 is not available and thus the count starting point above is accurate.
Thanks Sindy…